#%PAM-1.0 # pam_securetty.so is commented out since sshd already does a good job of # protecting itself. You may uncomment it if you like, but then you may # need to add additional consoles to /etc/securetty if you want to allow # root logins on them, such as: ssh, pts/0, :0, etc #auth required pam_securetty.so # When using pam_faillock, print a message to the user if the account is # locked. This lets the user know what is going on, but it also potentially # gives additional information to attackers: #auth requisite pam_faillock.so preauth auth include system-auth # To set a limit on failed authentications, the pam_faillock module # can be enabled. See pam_faillock(8) for more information. #auth [default=die] pam_faillock.so authfail #auth sufficient pam_faillock.so authsucc auth include postlogin account required pam_nologin.so account include system-auth password include system-auth session include system-auth session include postlogin session required pam_loginuid.so -session optional pam_elogind.so